Asymmetric cryptography in the random oracle model. Gregory Neven IBM Zurich Research Laboratory
|
|
- Esmond Sanders
- 7 years ago
- Views:
Transcription
1 Asymmetric cryptography in the random oracle model Gregory Neven IBM Zurich Research Laboratory
2 Overview Provable security: the concept Digital signatures and the Random Oracle Model Public-key encryption in the ROM 2
3 The concept Until mid-1980s: cryptography as a craft security = resistance against known attacks + vague intuition why hard to break (if any) assumed secure until broken More recently: provable security 1. clear, well-stated goal, aka security notion usually defined via game with adversary 2. clear, well-stated assumption usually hard mathematical problem (e.g. factoring) or security of underlying building block 3. rigorous mathematical proof only way to break scheme is by breaking assumption 3
4 Security notions What does it mean for the scheme to be secure? Often many desirable properties So what is the right security notion? Good security notion implies all/most/many/some of the intuitive desiderata is achievable often takes time to settle down in community Several good notions can coexist Formalized by means of game with adversary e.g. digital signatures pk A M,σ A wins if σ is valid signature for M 4
5 Information-theoretic vs. computational security Information-theoretic security No restrictions on A s resources Advantage zero (perfect) or negligible (statistical) No underlying computational assumptions Completely excludes attacks! Computational security A s resources are bounded e.g. max running time, max #queries, Security relative to an underlying assumption e.g. hardness of factoring, security of AES, Attacks possible, but require scientific breakthrough 5
6 Asymptotic vs. concrete security Asymptotic security Running time of A is polynomial in security parameter k (e.g. key length) Advantage is negligible function in k meaning c k c : Adv(A) < 1/k c for all k > k c Scheme is secure iff Adv(A) is negligible for all A with running time poly(k) Concrete security Running time of A is at most t steps Advantage is at most ε Scheme is (t,ε)-secure iff Adv(A) < ε for all A running in time at most t 6
7 Assumptions Number-theoretic assumptions hardness of factoring one-wayness of RSA hardness of computing discrete logarithms Cryptographic assumptions AES is a pseudo-random permutation SHA-1 is a collision-resistant hash function 7
8 Security proofs Usually by contradiction: Given A against scheme, build B against assumption A pk M,σ B N pk A M,σ p,q Asymptotic security notion If exists poly-time A with non-negligible Adv scheme (A) then exists poly-time B with non-negligible Adv assumption (B) Concrete security If exists A that (t,ε)-breaks the scheme then exists B that (t,ε )-breaks assumption for t f(t), ε g(ε) 8
9 Limitations of provable security Provable unbreakable Security only relative to assumption better name: reductionist security Adversary stepping outside the model e.g. side-channel attacks Flawed proofs (cryptographers are only human) Implementation errors (so are programmers) Still, important tool to gain confidence by understanding compare schemes when deciding on industry standards 9
10 Overview Provable security: the concept Digital signatures and the Random Oracle Model Public-key encryption in the ROM 10
11 Syntax of digital signatures Digital signature scheme DS = (Kg, Sign, Vf) where Key generation: (pk, sk) R Kg Signing: σ R Sign(sk, M) Verification: 0/1 Vf(pk, M, σ) Correctness Vf(pk, M, Sign(sk, M)) = 1 11
12 Security of digital signatures Desirable properties Given pk, hard to compute sk Given M, hard to compute σ such that Vf(pk, M, σ) = 1 Given σ for M, hard to compute σ for M Unforgeability under chosen-message attack pk A M i σ i Sign(sk, ) (pk,sk) R Kg (M,σ) R A Sign(sk, ) (pk) A wins iff Vf(pk,M,σ)=1 and M / {M 1,,M N } M,σ Adv uf-cma (A) = Pr [ A wins ] DS 12
13 Textbook RSA signatures Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) pk (N,e) ; sk (N,d) Sign(sk,M): (assume M Z*) N σ M d mod N Vf(pk,M,σ): Check that σ e = M mod N pk Are these uf-cma secure? A M i σ i Sign(sk, ) M,σ 13
14 Textbook RSA signatures Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) pk (N,e) ; sk (N,d) Sign(sk,M): (assume M Z*) N σ M d mod N Vf(pk,M,σ): Check that σ e = M mod N Are these uf-cma secure? No! σ=1 always valid for M=1 choose σ, compute M σ e mod N homomorphic: valid (M 1,σ 1 ) and (M 2,σ 2 ) valid (M 1 M 2,σ 1 σ 2 ) 14
15 RSA-FDH Fix: assume full-domain hash function H : {0,1}* Z* σ H(M) d mod N Check that σ e = H(M) mod N What do we need/expect/hope to get from H? preimage of 1 hard to find one-wayness: hard to choose σ, compute M H -1 (σ e ) collision-resistance: hard to find M, M such that H(M) = H(M ) destroy algebraic structure: hard to find M 1,M 2,M 3 such that H(M 1 ) H(M 2 ) = H(M 3 ) mod N These are necessary properties, but are they sufficient? N 15
16 RSA PKCS #1 v1.5 Public Key Cryptography Standards (PKCS) by RSA Labs: H PKCS (M) = FF FF 00 h(m) where h is collision-resistant hash, e.g. SHA-1 Seems to prevent attacks, but provably secure? Candidate assumption: one-wayness of RSA N,e,y A x x R Z* N y x e mod N x R A(y) ow Adv RSA (A) = Pr [ y = (x ) e mod N ] Invert H PKCS (M) versus invert random element of Z* N Range of H PKCS is only fraction 1/2 864 of Z* N So RSA may be one-way yet invertible on H PKCS (M)! 16
17 Random oracle model Theory: give all parties (good & bad) access to random oracle = truly random function H: {0,1}* Z* consistent with previous queries ( dynamically built table) Practice: replace random oracle with hash function N pk A M H(M) M i σ i H( ) Sign H (sk, ) (pk,sk) R Kg (M,σ) R A H( ),Sign(sk, ) (pk) A wins iff Vf H( ), (pk,m,σ)=1 and M / {M 1,,M N } Adv uf-cma (A) = Pr [ A wins ] DS M,σ 17
18 The power of random oracles pk N,e,y A M H(M) M i σ i H( ) Sign H (sk, ) B A M H(M) M i σ i M,σ x Random oracle model is stronger than collision-resistant hash function hash: computable RO: unpredictable until queried pseudo-random function: PRF: secret key unknown to A RO: publicly accessible 18
19 Random oracle model: pros & cons Pros efficient, practical schemes clear security notion, some security guarantee (definitely better than ad-hoc design) excludes generic attacks (if scheme and hash function are independent ) Cons weaker security guarantee than standard model (contrived) counterexamples exist [CGH98] 19
20 Security of RSA-FDH Theorem: If RSA is (t,ε) one-way, then RSA-FDH signatures are (t,q H,q S,ε ) unforgeable in the random oracle model for t = t (q H + q S ) t exp ε = (q H + q S + 1) ε 20
21 Security proof of RSA-FDH Step 1: A makes one query H(M), forges on M N,e,y N,e B A M H(M) H( ) A M M, σ = H(M) d M,σ x 21
22 Security proof of RSA-FDH Step 1: A makes one query H(M), forges on M N,e,y N,e B N,e A M H(M) H( ) A M y M, σ = H(M) d M, σ = y d x = σ B(N,e,y): Run A(N,e), answering H(M) = y Until A outputs M,σ Return x = σ ε = ε', t t' 22
23 Security proof of RSA-FDH Step 2: A makes two queries H(M 1 ), H(M 2 ), forges on M i N,e,y B N,e A M 1 y M 2 y B(N,e,y): Run A(N,e), answering H(M 1 ) = y H(M 2 ) = y Until A outputs M,σ Return x = σ M, σ = y d x = σ Glitch!!! 23
24 Security proof of RSA-FDH Step 2: A makes two queries H(M 1 ), H(M 2 ), forges on M i N,e,y B N,e A M 1, σ = y d M 1 y M 2 h B(N,e,y): i* R {1,2} Run A(N,e), answering H(M i* ) = y H(M 3-i* ) = h R Z* N Until A outputs M i,σ If i i* then abort Return x = σ x = σ ε = ε' 2, t t' 24
25 Security proof of RSA-FDH Step 3: A makes q H queries H(M i ), forges on some M i (assume wlog M i all different, A queries H(M i ) before forging) B(N,e,y): i* R {1,,q H } Run A(N,e), answering H( ) using HSim( ) Until A outputs M i,σ If i i* then abort Return x = σ HSim(M i ): If i=i* then h i y Else h i R Z N * Return h i ε = ε' q + 1 H, t t' 25
26 Security proof of RSA-FDH Step 4: Signing queries (assume wlog M i all different, A queries H(M i ) before Sign(M i ) and forging) B(N,e,y): i* R {1,,q H } Run A(N,e), answering H( ) using HSim( ) Until A outputs M i,σ If i i* then abort Return x = σ HSim(M i ): If i=i* then h i y Else x i R Z N * h i x ie mod N Return h i SSim(M i ): If i=i* then abort Else return x i ε = q H ε' + q S + 1, t t' + (q H + q S ) t exp 26
27 Other signature schemes in the ROM RSA-PSS tight reduction from one-wayness of RSA alternatively use Katz-Wang, ACM CCS 2005 Bernstein, Eurocrypt 2008 Fiat-Shamir and variants factoring, RSA, discrete log, proof using forking lemma 27
28 Overview Provable security: the concept Digital signatures and the Random Oracle Model Public-key encryption in the ROM 28
29 Syntax of public-key encryption Public-key encryption scheme PKE = (Kg, Enc, Dec) where Key generation: (pk,sk) R Kg Encryption: C R Enc(pk,M) Decryption: M/ Dec(sk,C) Correctness: Dec(sk, Enc(pk,M)) = M 29
30 Chosen-plaintext security Desirable properties Given pk, hard to compute sk Given C, hard to compute M Given C, hard to compute last bit, parity, of M Security notion: IND-CPA = indistinguishability under chosen-plaintext attack pk A b (pk,sk) R Kg (M 0,M 1,state) R A(pk) where M 0 = M 1 M 0,M 1 b R {0,1} ; C* R Enc(pk,M b ) C* b R A(C*,state) A wins iff b = b Adv ind-cpa (A) = 2 Pr [b =b] 1 PKE = Pr[b =1 b=1] Pr[b =1 b=0] 30
31 Textbook RSA encryption Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) pk (N,e) ; sk (N,d) Enc(pk,M): C M e mod N Dec(sk,C): M C d mod N pk Is textbook RSA IND-CPA secure? A b M 0,M 1 C* 31
32 Textbook RSA encryption Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) pk (N,e) ; sk (N,d) Enc(pk,M): C M e mod N Dec(sk,C): M C d mod N Is textbook RSA IND-CPA secure? No! deterministic, so A can re-encrypt and compare if e = 3 and M < N 1/3 then Dec(C) = C 1/3 32
33 RSA PKCS#1 v1.5 M = random padding data 64 bits Seems to prevent attacks But provably secure? Unlikely: decisional IND-CPA game (output bit b) vs. computational one-wayness of RSA (output x Z* N) Insecure against stronger attacks: see later 33
34 The RSA-CPA scheme Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) H : Z N {0,1} m pk (N,e) ; sk (N,d) Encrypt(pk,M): x R Z N ; y x e mod N z H(x) M Return C = (y,z) Decrypt(sk,C): x y d mod N Return M = H(x) z 34
35 Security of RSA-CPA Theorem: If RSA is (t,ε) one-way, then RSA-CPA is (t,q H,ε ) IND-CPA secure in the random oracle model for ε = ε t = t q H t exp Proof idea: If A does not query H(x*) then C* is independent of m b pk A x H(x) M 0,M 1 C* H( ) B A N,e,y* x H(x) M 0,M 1 C* b x* 35
36 Proof of RSA-CPA (sketch) B(N,e,y): Run A(N,e), answering H( ) using HSim( ) Until A outputs M 0,M 1 z R {0,1} n ; C (y,z) Run A(C), answering H( ) using HSim( ) Until A outputs b Abort HSim(x): If x e = y mod N then Output x Else Return h R {0,1} n Let Q be event that A queries H(x*) ε = 2 ( Pr[ b=b Q ] Pr[Q] + Pr[ b=b Q ] Pr[ Q] ) 1 1 = ε = 1/2 1 2 ( ε + 1/2 ) 1 = 2 ε 36
37 Chosen-ciphertext security Stronger security notion: IND-CCA = indistinguishability under chosen-ciphertext attack pk (pk,sk) R Kg C Dec(sk, ) (M 0,M 1,state) R A Dec (pk) where M 0 = M 1 M b R {0,1} ; C* R Enc(pk,M b ) A M 0,M 1 C* C C* Dec(sk, ) M b R A Dec (C*,state) A wins iff b = b and never queried Dec(C*) Adv ind-cpa (A) = 2 Pr [b =b] 1 PKE = Pr[b =1 b=1] Pr[b =1 b=0] b Motivation: lunch-time attacks authenticated key exchange protocols 37
38 IND-CCA security of RSA-CPA Is RSA-CPA also IND-CCA secure? No! (y,z) encrypts M (y, z R) encrypts M R Do we care? Sealed-bid auction: outbid competitor at minimum price competitor submits (y,z) cheater submits (y, z 0 01) Joint random string generation: two parties encrypt random R 1, R 2 common random string R = R 1 R 2 attack: always force R = S first party submits (y,z) cheater submits (y, z S) 38
39 Bleichenbacher attack Is RSA PKCS#1 v1.5 IND-CCA secure? M = random padding data 64 bits Decryption: reject if padding incorrect Bleichenbacher 1998: No! Given oracle to test correct PKCS#1 formatting decrypt any C using to queries Such oracle is present in many crypto protocols, including SSL! PKCS#1 v2.0 adopted provably secure RSA-OAEP (Optimal Asymmetric Encryption Padding) 39
40 The RSA-CCA scheme Toy version of RSA-OAEP: less efficient, but simpler proof Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) H : Z N {0,1} m ; G : Z N {0,1} m {0,1} n pk (N,e) ; sk (N,d) Encrypt(pk,M): x $ Z N ; y x e mod N z H(x) M ; t G(x,z) Return C = (y,z,t) Decrypt(sk,C): x y d mod N If G(x,z) t then return Else return M = H(x) z 40
41 Security of RSA-CCA Theorem: If RSA is (t,ε) one-way, then RSA-CCA is (t,q D,q H,q G,ε ) IND-CCA secure in the random oracle model for ε = ε q D /2 n t = t (q H + q G + q D ) t exp Proof idea: If A does not query H(x) or G(x,z) then challenge ciphertext is independent of m b Answer decryption queries (y,z,t) by looking up t among previous responses of G 41
42 Other encryption schemes in the ROM RSA-OAEP based on one-wayness of RSA standardized in PKCS#1 v2.0, widely used DHIES CCA-secure variant of ElGamal Fujisaki-Okamoto transform CPA CCA security 42
CryptoVerif Tutorial
CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA
More informationDIGITAL SIGNATURES 1/1
DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan
More informationLecture 3: One-Way Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationChapter 12. Digital signatures. 12.1 Digital signature schemes
Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More information1 Domain Extension for MACs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More information1 Signatures vs. MACs
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures
More informationUniversal Padding Schemes for RSA
Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com
More informationProvable-Security Analysis of Authenticated Encryption in Kerberos
Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765
More informationLecture 15 - Digital Signatures
Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationCryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.
Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant
More informationOverview of Public-Key Cryptography
CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationCIS 5371 Cryptography. 8. Encryption --
CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.
More informationLecture 9 - Message Authentication Codes
Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationIdentity-Based Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationRSA OAEP is Secure under the RSA Assumption
This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationMESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC
MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationDigital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem
Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies
More informationQUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University
QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)
More information1 Construction of CCA-secure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More informationCryptographic Hash Functions Message Authentication Digital Signatures
Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationCrittografia e sicurezza delle reti. Digital signatures- DSA
Crittografia e sicurezza delle reti Digital signatures- DSA Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes
More informationDigital signatures. Informal properties
Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property.
More informationMessage Authentication Codes 133
Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in
More informationIdentity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru
More informationAuthenticated Encryption: Relations among notions and analysis of the generic composition paradigm
An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3
More informationDigital Signatures. What are Signature Schemes?
Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public
More informationFast Batch Verification for Modular Exponentiation and Digital Signatures
An extended abstract of this paper appears in Advances in Cryptology Eurocrypt 98 Proceedings, Lecture Notes in Computer Science Vol. 1403, K. Nyberg ed., Springer-Verlag, 1998. This is the full version.
More informationLecture 5 - CPA security, Pseudorandom functions
Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationHow to Design a Successful One-Time Signature Scheme
CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography April 18, 2012 Lecture 13 Lecturer: Yevgeniy Dodis Spring 2012 This lecture is dedicated to constructions of digital signature schemes. Assuming
More informationOutline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg
Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian
More informationMAC. SKE in Practice. Lecture 5
MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview
More informationAuthenticated encryption
Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption
More informationEnsuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results
Ensuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results Dario Catalano Dario Fiore Luca Nizzardo University of Catania Italy IMDEA Software Institute Madrid, Spain
More informationCiphertext verification security of symmetric encryption schemes
www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information
More informationDigital Signatures. Nicolas T. Courtois - University College of London
Nicolas T. Courtois - University College of London Roadmap Legal aspects What are Digital Signatures? How Secure they are? Main realizations known Applications 2 1. What is a [Digital] Signature? Legal
More informationDigital Signatures. Nicolas T. Courtois - University College London
Nicolas T. Courtois - University College London Roadmap Legal aspects What are Digital Signatures? How Secure they are? Main realizations known Applications 2 1. What is a [Digital] Signature? Legal Aspects
More informationOne-Way Encryption and Message Authentication
One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationAnonymity and Time in Public-Key Encryption
Anonymity and Time in Public-Key Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics
More informationMulti-Recipient Encryption Schemes: Efficient Constructions and their Security
This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. Multi-Recipient
More informationLecture 6 - Cryptography
Lecture 6 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 Question 2 Setup: Assume you and I don t know anything about
More informationA Factoring and Discrete Logarithm based Cryptosystem
Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques
More informationSimplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings
Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March
More informationSecurity Arguments for Digital Signatures and Blind Signatures
Journal of Cryptology, Volume 13, Number 3. Pages 361 396, Springer-Verlag, 2000. 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures
More informationPublic-Key Cryptanalysis
To appear in Recent Trends in Cryptography, I. Luengo (Ed.), Contemporary Mathematics series, AMS-RSME, 2008. Public-Key Cryptanalysis Phong Q. Nguyen Abstract. In 1976, Diffie and Hellman introduced the
More informationProofs in Cryptography
Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly
More informationBreaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring
Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationSchnorr Blind Signatures and Insights From a Computer Network Marketing Model
On the Security of One-Witness Blind Signature Schemes Foteini Baldimtsi and Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. Blind signatures have proved
More informationThe Exact Security of Digital Signatures How to Sign with RSA and Rabin
Appears in Advances in Cryptology Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., Springer-Verlag, 1996. The Exact Security of Digital Signatures How to Sign with
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationFoundations of Group Signatures: The Case of Dynamic Groups
A preliminary version of this paper appears in Topics in Cryptology CT-RSA 05, Lecture Notes in Computer Science Vol.??, A. Menezes ed., Springer-Verlag, 2005. This is the full version. Foundations of
More informationPost-Quantum Cryptography #4
Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack
More informationWildcarded Identity-Based Encryption
Wildcarded Identity-Based Encryption Michel Abdalla 1, James Birkett 2, Dario Catalano 3, Alexander W. Dent 4, John Malone-Lee 5, Gregory Neven 6,7, Jacob C. N. Schuldt 8, and Nigel P. Smart 9 1 Ecole
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationAuthentication and Encryption: How to order them? Motivation
Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key
More informationElements of Applied Cryptography Public key encryption
Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let
More informationRecongurable Cryptography: A exible approach to long-term security
Recongurable Cryptography: A exible approach to long-term security Julia Hesse and Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {julia.hesse, dennis.hofheinz, andy.rupp}@kit.edu
More informationNetwork Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering
Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:
More informationTrading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption
Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption Pascal Paillier 1 and Jorge L. Villar 2 1 Cryptography Group, Security Labs, Gemalto pascal.paillier@gemalto.com 2 Departament
More informationTable of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch
1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...
More informationLeakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives
Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More information8th ACM Conference on Computer and Communications Security 2001 5-8 November 2001 Philadelphia - Pennsylvania - USA
8th ACM Conference on Computer and Communications Security 2001 5-8 November 2001 Philadelphia - Pennsylvania - USA Twin Signatures: an Alternative to the Hash-and-Sign Paradigm David Naccache (Gemplus,
More informationSecuring Remote Access Inside Wireless Mesh Networks
This is the full version of the paper which appears in: Information Security Applications: 10th International Workshop, WISA 2009, Busan, Korea, August 25-27, 2009. H. Y. Youm, M. Yung (Eds.) Springer-Verlag,
More informationCIS433/533 - Computer and Network Security Cryptography
CIS433/533 - Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationSecurity/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan
Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan 1 Internet of Things (IoT) CASAGRAS defined that: A global
More informationPaillier Threshold Encryption Toolbox
Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created
More informationNon-interactive and Reusable Non-malleable Commitment Schemes
Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the
More informationImplementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University
Implementation and Comparison of Various Digital Signature Algorithms -Nazia Sarang Boise State University What is a Digital Signature? A digital signature is used as a tool to authenticate the information
More informationSemantic Security for the McEliece Cryptosystem without Random Oracles
Semantic Security for the McEliece Cryptosystem without Random Oracles Ryo Nojima 1, Hideki Imai 23, Kazukuni Kobara 3, and Kirill Morozov 3 1 National Institute of Information and Communications Technology
More information